Prevent OOB in rw_i93.cc
Bug: 139188579
Test: Read/Write/Lock Type 5 Tag
Merged-In: Ife24f097c926184019038e559cbd806b289911c6
Change-Id: Ife24f097c926184019038e559cbd806b289911c6
(cherry picked from commit 49aa830b5d30e8db524d62c87d1af931635fdf5d)
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index 6c6f4bd..41273f6 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -43,6 +43,8 @@
#define RW_I93_FORMAT_DATA_LEN 8
/* max getting lock status if get multi block sec is supported */
#define RW_I93_GET_MULTI_BLOCK_SEC_SIZE 253
+/*Capability Container CC Size */
+#define RW_I93_CC_SIZE 4
/* main state */
enum {
@@ -1492,8 +1494,14 @@
case RW_I93_SUBSTATE_WAIT_CC:
- /* assume block size is more than 4 */
- STREAM_TO_ARRAY(cc, p, 4);
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
+ /* assume block size is more than RW_I93_CC_SIZE 4 */
+ STREAM_TO_ARRAY(cc, p, RW_I93_CC_SIZE);
status = NFC_STATUS_FAILED;
@@ -2537,6 +2545,12 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_CC:
+ if (length < RW_I93_CC_SIZE) {
+ android_errorWriteLog(0x534e4554, "139188579");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
/* mark CC as read-only */
*(p + 1) |= I93_ICODE_CC_READ_ONLY;